[neon/qt/qtbase/Neon/release] debian/patches: add patch recommended by Qt for process injection issue

Mon Feb 21 11:53:55 GMT 2022

Git commit 60ddc6172b86907cc87d8022c4e9bc8f2965b2dd by Jonathan Esk-Riddell.
Committed on 21/02/2022 at 11:53.
Pushed by jriddell into branch 'Neon/release'.

add patch recommended by Qt for process injection issue

A  +56   -0    debian/patches/CVE-2022-25255-qprocess5-15.diff
M  +1    -0    debian/patches/series

https://invent.kde.org/neon/qt/qtbase/commit/60ddc6172b86907cc87d8022c4e9bc8f2965b2dd

diff --git a/debian/patches/CVE-2022-25255-qprocess5-15.diff b/debian/patches/CVE-2022-25255-qprocess5-15.diff
new file mode 100644
index 0000000..7e29d89
--- /dev/null
+++ b/debian/patches/CVE-2022-25255-qprocess5-15.diff
@@ -0,0 +1,56 @@
+--- a/src/corelib/io/qprocess_unix.cpp
++++ b/src/corelib/io/qprocess_unix.cpp
+@@ -1,7 +1,7 @@
+ /****************************************************************************
+ **
+ ** Copyright (C) 2021 The Qt Company Ltd.
+-** Copyright (C) 2016 Intel Corporation.
++** Copyright (C) 2022 Intel Corporation.
+ ** Contact: https://www.qt.io/licensing/
+ **
+ ** This file is part of the QtCore module of the Qt Toolkit.
+@@ -422,14 +422,15 @@ void QProcessPrivate::startProcess()
+     // Add the program name to the argument list.
+     argv[0] = nullptr;
+     if (!program.contains(QLatin1Char('/'))) {
++        // findExecutable() returns its argument if it's an absolute path,
++        // otherwise it searches $PATH; returns empty if not found (we handle
++        // that case much later)
+         const QString &exeFilePath = QStandardPaths::findExecutable(program);
+-        if (!exeFilePath.isEmpty()) {
+-            const QByteArray &tmp = QFile::encodeName(exeFilePath);
+-            argv[0] = ::strdup(tmp.constData());
+-        }
+-    }
+-    if (!argv[0])
++        const QByteArray &tmp = QFile::encodeName(exeFilePath);
++        argv[0] = ::strdup(tmp.constData());
++    } else {
+         argv[0] = ::strdup(encodedProgramName.constData());
++    }
+
+     // Add every argument to the list
+     for (int i = 0; i < arguments.count(); ++i)
+@@ -983,15 +984,16 @@ bool QProcessPrivate::startDetached(qint64 *pid)
+                 envp = _q_dupEnvironment(environment.d.constData()->vars, &envc);
+             }
+
+-            QByteArray tmp;
+             if (!program.contains(QLatin1Char('/'))) {
++                // findExecutable() returns its argument if it's an absolute path,
++                // otherwise it searches $PATH; returns empty if not found (we handle
++                // that case much later)
+                 const QString &exeFilePath = QStandardPaths::findExecutable(program);
+-                if (!exeFilePath.isEmpty())
+-                    tmp = QFile::encodeName(exeFilePath);
++                const QByteArray &tmp = QFile::encodeName(exeFilePath);
++                argv[0] = ::strdup(tmp.constData());
++            } else {
++                argv[0] = ::strdup(QFile::encodeName(program));
+             }
+-            if (tmp.isEmpty())
+-                tmp = QFile::encodeName(program);
+-            argv[0] = tmp.data();
+
+             if (envp)
+                 qt_safe_execve(argv[0], argv, envp);
\ No newline at end of file
diff --git a/debian/patches/series b/debian/patches/series
index 71ec769..a0565f9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@ qstorageinfo_linux.diff
 cross_build_mysql.diff
 qtbase-avoid-hardcoding-kernel-version.patch
 xdg_filechooser_portal_send_window_id_in_hex.diff
+CVE-2022-25255-qprocess5-15.diff
